dcrat | 3255000372abfedfb82e869c9117283e82bff3aac1a6e2f26af63958a3f0a38d

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 08:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3255000372abfedfb82e869c9117283e82bff3aac1a6e2f26af63958a3f0a38d.exe
Size

1.3MB
MD5

b5d8be9e2f52c2f7780f52f42ab1c305
SHA1

726fd0f5c0ccd34a818e7f74b6d601db7d9dd990
SHA256

3255000372abfedfb82e869c9117283e82bff3aac1a6e2f26af63958a3f0a38d
SHA512

28ca744521783c861b814e6ce4885c6c79d89bb0e1df132518e94e217f5ec1e46a7063bb68f9db1dd58c3ce0bbbc10722d4d0c5c974cc960d510e677e0d1fbe1
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	480	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	3004	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000156a6-10.dat	dcrat
behavioral1/memory/2584-13-0x0000000000E10000-0x0000000000F20000-memory.dmp	dcrat
behavioral1/memory/2764-150-0x00000000008C0000-0x00000000009D0000-memory.dmp	dcrat
behavioral1/memory/1632-209-0x0000000000DF0000-0x0000000000F00000-memory.dmp	dcrat
behavioral1/memory/1968-329-0x00000000000A0000-0x00000000001B0000-memory.dmp	dcrat
behavioral1/memory/2612-389-0x0000000000800000-0x0000000000910000-memory.dmp	dcrat
behavioral1/memory/2252-449-0x0000000001390000-0x00000000014A0000-memory.dmp	dcrat
behavioral1/memory/1036-568-0x0000000000210000-0x0000000000320000-memory.dmp	dcrat
behavioral1/memory/2228-628-0x0000000000D50000-0x0000000000E60000-memory.dmp	dcrat
behavioral1/memory/2776-688-0x00000000010B0000-0x00000000011C0000-memory.dmp	dcrat
behavioral1/memory/1920-748-0x0000000000280000-0x0000000000390000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2632	powershell.exe
2608	powershell.exe
2664	powershell.exe
2668	powershell.exe
2700	powershell.exe
2944	powershell.exe
2716	powershell.exe
2792	powershell.exe
2676	powershell.exe
2600	powershell.exe
2780	powershell.exe
2804	powershell.exe
2708	powershell.exe
2872	powershell.exe
2712	powershell.exe
2720	powershell.exe
2552	powershell.exe
2728	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2584	DllCommonsvc.exe
2764	System.exe
1632	System.exe
2092	System.exe
1968	System.exe
2612	System.exe
2252	System.exe
2676	System.exe
1036	System.exe
2228	System.exe
2776	System.exe
1920	System.exe

Loads dropped DLL 2 IoCs

pid	Process
2848	cmd.exe
2848	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
32	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
18	raw.githubusercontent.com
29	raw.githubusercontent.com
36	raw.githubusercontent.com

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files\Java\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\ebf1f9fa8afd6d	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\6ccacd8608530f	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ehome\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\ehome\a76d7bf15d8370	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3255000372abfedfb82e869c9117283e82bff3aac1a6e2f26af63958a3f0a38d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2540	schtasks.exe
2040	schtasks.exe
1740	schtasks.exe
2400	schtasks.exe
2832	schtasks.exe
2468	schtasks.exe
2908	schtasks.exe
2948	schtasks.exe
2340	schtasks.exe
688	schtasks.exe
1772	schtasks.exe
2096	schtasks.exe
2348	schtasks.exe
568	schtasks.exe
2352	schtasks.exe
1944	schtasks.exe
2624	schtasks.exe
1900	schtasks.exe
2868	schtasks.exe
1796	schtasks.exe
1788	schtasks.exe
960	schtasks.exe
2920	schtasks.exe
1920	schtasks.exe
2436	schtasks.exe
2196	schtasks.exe
1632	schtasks.exe
2520	schtasks.exe
2276	schtasks.exe
1324	schtasks.exe
480	schtasks.exe
1980	schtasks.exe
1712	schtasks.exe
1860	schtasks.exe
1372	schtasks.exe
652	schtasks.exe
1320	schtasks.exe
2064	schtasks.exe
2212	schtasks.exe
2736	schtasks.exe
2156	schtasks.exe
2220	schtasks.exe
280	schtasks.exe
2960	schtasks.exe
636	schtasks.exe
1948	schtasks.exe
1596	schtasks.exe
2996	schtasks.exe
896	schtasks.exe
1084	schtasks.exe
532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2584	DllCommonsvc.exe
2584	DllCommonsvc.exe
2584	DllCommonsvc.exe
2584	DllCommonsvc.exe
2584	DllCommonsvc.exe
2700	powershell.exe
2792	powershell.exe
2728	powershell.exe
2608	powershell.exe
2668	powershell.exe
2632	powershell.exe
2872	powershell.exe
2944	powershell.exe
2708	powershell.exe
2780	powershell.exe
2600	powershell.exe
2664	powershell.exe
2804	powershell.exe
2716	powershell.exe
2676	powershell.exe
2720	powershell.exe
2712	powershell.exe
2552	powershell.exe
2764	System.exe
1632	System.exe
2092	System.exe
1968	System.exe
2612	System.exe
2252	System.exe
2676	System.exe
1036	System.exe
2228	System.exe
2776	System.exe
1920	System.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2584	DllCommonsvc.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2764	System.exe
Token: SeDebugPrivilege	1632	System.exe
Token: SeDebugPrivilege	2092	System.exe
Token: SeDebugPrivilege	1968	System.exe
Token: SeDebugPrivilege	2612	System.exe
Token: SeDebugPrivilege	2252	System.exe
Token: SeDebugPrivilege	2676	System.exe
Token: SeDebugPrivilege	1036	System.exe
Token: SeDebugPrivilege	2228	System.exe
Token: SeDebugPrivilege	2776	System.exe
Token: SeDebugPrivilege	1920	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2740	2700	JaffaCakes118_3255000372abfedfb82e869c9117283e82bff3aac1a6e2f26af63958a3f0a38d.exe	30
PID 2700 wrote to memory of 2740	2700	JaffaCakes118_3255000372abfedfb82e869c9117283e82bff3aac1a6e2f26af63958a3f0a38d.exe	30
PID 2700 wrote to memory of 2740	2700	JaffaCakes118_3255000372abfedfb82e869c9117283e82bff3aac1a6e2f26af63958a3f0a38d.exe	30
PID 2700 wrote to memory of 2740	2700	JaffaCakes118_3255000372abfedfb82e869c9117283e82bff3aac1a6e2f26af63958a3f0a38d.exe	30
PID 2740 wrote to memory of 2848	2740	WScript.exe	31
PID 2740 wrote to memory of 2848	2740	WScript.exe	31
PID 2740 wrote to memory of 2848	2740	WScript.exe	31
PID 2740 wrote to memory of 2848	2740	WScript.exe	31
PID 2848 wrote to memory of 2584	2848	cmd.exe	33
PID 2848 wrote to memory of 2584	2848	cmd.exe	33
PID 2848 wrote to memory of 2584	2848	cmd.exe	33
PID 2848 wrote to memory of 2584	2848	cmd.exe	33
PID 2584 wrote to memory of 2804	2584	DllCommonsvc.exe	86
PID 2584 wrote to memory of 2804	2584	DllCommonsvc.exe	86
PID 2584 wrote to memory of 2804	2584	DllCommonsvc.exe	86
PID 2584 wrote to memory of 2708	2584	DllCommonsvc.exe	87
PID 2584 wrote to memory of 2708	2584	DllCommonsvc.exe	87
PID 2584 wrote to memory of 2708	2584	DllCommonsvc.exe	87
PID 2584 wrote to memory of 2716	2584	DllCommonsvc.exe	88
PID 2584 wrote to memory of 2716	2584	DllCommonsvc.exe	88
PID 2584 wrote to memory of 2716	2584	DllCommonsvc.exe	88
PID 2584 wrote to memory of 2944	2584	DllCommonsvc.exe	89
PID 2584 wrote to memory of 2944	2584	DllCommonsvc.exe	89
PID 2584 wrote to memory of 2944	2584	DllCommonsvc.exe	89
PID 2584 wrote to memory of 2700	2584	DllCommonsvc.exe	90
PID 2584 wrote to memory of 2700	2584	DllCommonsvc.exe	90
PID 2584 wrote to memory of 2700	2584	DllCommonsvc.exe	90
PID 2584 wrote to memory of 2668	2584	DllCommonsvc.exe	91
PID 2584 wrote to memory of 2668	2584	DllCommonsvc.exe	91
PID 2584 wrote to memory of 2668	2584	DllCommonsvc.exe	91
PID 2584 wrote to memory of 2720	2584	DllCommonsvc.exe	92
PID 2584 wrote to memory of 2720	2584	DllCommonsvc.exe	92
PID 2584 wrote to memory of 2720	2584	DllCommonsvc.exe	92
PID 2584 wrote to memory of 2664	2584	DllCommonsvc.exe	93
PID 2584 wrote to memory of 2664	2584	DllCommonsvc.exe	93
PID 2584 wrote to memory of 2664	2584	DllCommonsvc.exe	93
PID 2584 wrote to memory of 2676	2584	DllCommonsvc.exe	94
PID 2584 wrote to memory of 2676	2584	DllCommonsvc.exe	94
PID 2584 wrote to memory of 2676	2584	DllCommonsvc.exe	94
PID 2584 wrote to memory of 2792	2584	DllCommonsvc.exe	95
PID 2584 wrote to memory of 2792	2584	DllCommonsvc.exe	95
PID 2584 wrote to memory of 2792	2584	DllCommonsvc.exe	95
PID 2584 wrote to memory of 2712	2584	DllCommonsvc.exe	96
PID 2584 wrote to memory of 2712	2584	DllCommonsvc.exe	96
PID 2584 wrote to memory of 2712	2584	DllCommonsvc.exe	96
PID 2584 wrote to memory of 2780	2584	DllCommonsvc.exe	97
PID 2584 wrote to memory of 2780	2584	DllCommonsvc.exe	97
PID 2584 wrote to memory of 2780	2584	DllCommonsvc.exe	97
PID 2584 wrote to memory of 2872	2584	DllCommonsvc.exe	98
PID 2584 wrote to memory of 2872	2584	DllCommonsvc.exe	98
PID 2584 wrote to memory of 2872	2584	DllCommonsvc.exe	98
PID 2584 wrote to memory of 2728	2584	DllCommonsvc.exe	99
PID 2584 wrote to memory of 2728	2584	DllCommonsvc.exe	99
PID 2584 wrote to memory of 2728	2584	DllCommonsvc.exe	99
PID 2584 wrote to memory of 2552	2584	DllCommonsvc.exe	100
PID 2584 wrote to memory of 2552	2584	DllCommonsvc.exe	100
PID 2584 wrote to memory of 2552	2584	DllCommonsvc.exe	100
PID 2584 wrote to memory of 2600	2584	DllCommonsvc.exe	101
PID 2584 wrote to memory of 2600	2584	DllCommonsvc.exe	101
PID 2584 wrote to memory of 2600	2584	DllCommonsvc.exe	101
PID 2584 wrote to memory of 2608	2584	DllCommonsvc.exe	102
PID 2584 wrote to memory of 2608	2584	DllCommonsvc.exe	102
PID 2584 wrote to memory of 2608	2584	DllCommonsvc.exe	102
PID 2584 wrote to memory of 2632	2584	DllCommonsvc.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3255000372abfedfb82e869c9117283e82bff3aac1a6e2f26af63958a3f0a38d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3255000372abfedfb82e869c9117283e82bff3aac1a6e2f26af63958a3f0a38d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\hrtfs\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HMZ9wE5u0I.bat"
        5⤵
        
        PID:2864
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1560
      - C:\Program Files (x86)\Reference Assemblies\System.exe
        
        "C:\Program Files (x86)\Reference Assemblies\System.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat"
        7⤵
        
        PID:2756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1900
        
        C:\Program Files (x86)\Reference Assemblies\System.exe
        
        "C:\Program Files (x86)\Reference Assemblies\System.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat"
        9⤵
        
        PID:940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2544
        
        C:\Program Files (x86)\Reference Assemblies\System.exe
        
        "C:\Program Files (x86)\Reference Assemblies\System.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat"
        11⤵
        
        PID:2260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1704
        
        C:\Program Files (x86)\Reference Assemblies\System.exe
        
        "C:\Program Files (x86)\Reference Assemblies\System.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Oj9OucH8K.bat"
        13⤵
        
        PID:2112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2624
        
        C:\Program Files (x86)\Reference Assemblies\System.exe
        
        "C:\Program Files (x86)\Reference Assemblies\System.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KVYyjDtEXm.bat"
        15⤵
        
        PID:1592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1624
        
        C:\Program Files (x86)\Reference Assemblies\System.exe
        
        "C:\Program Files (x86)\Reference Assemblies\System.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat"
        17⤵
        
        PID:2960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1560
        
        C:\Program Files (x86)\Reference Assemblies\System.exe
        
        "C:\Program Files (x86)\Reference Assemblies\System.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat"
        19⤵
        
        PID:2520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1980
        
        C:\Program Files (x86)\Reference Assemblies\System.exe
        
        "C:\Program Files (x86)\Reference Assemblies\System.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat"
        21⤵
        
        PID:2424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2192
        
        C:\Program Files (x86)\Reference Assemblies\System.exe
        
        "C:\Program Files (x86)\Reference Assemblies\System.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat"
        23⤵
        
        PID:2096
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2716
        
        C:\Program Files (x86)\Reference Assemblies\System.exe
        
        "C:\Program Files (x86)\Reference Assemblies\System.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat"
        25⤵
        
        PID:2220
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:576
        
        C:\Program Files (x86)\Reference Assemblies\System.exe
        
        "C:\Program Files (x86)\Reference Assemblies\System.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Windows\ehome\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\ehome\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Windows\ehome\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Java\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28767609cbe6a2159ae3ac92d0da50af

SHA1
a2b401afdfa0f942bfbd309380e2f7c26c00265d

SHA256
ae2d0be5f2cd4ab5ff25698745d4db370e2c1b84991a4ff87608c12d6b24be90

SHA512
0f33b32b56e681bddccdd650a4e256be2769346ddb40feee4611c1bd280e83f374c7e928127902c78d098b81765bea190ab2115bf4bf9a71730d1a8eb90b7751

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c2fe21eda3b1220e0397ea9e4bdd59a

SHA1
fbee5bf228972f39a8c813e02a3b2716065750ff

SHA256
7736b3830f6a064f842f4ad186e2019110a9f7c02445125c23799691bf4980a5

SHA512
cde7e3f33ab8d0cea30d9698114853f065923a682331386c259e0e37dccc455b2a4e90ac2740970857c40ebbcf0a63b300d73f3a6075b04cc513d6a6381b22c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe8eacb9e82fe2285cab8880d4394763

SHA1
9adb59f7ee31bc81c91366358122ca4264514533

SHA256
16056bbd83641b07c7328341d3b36d396063736b47defd21f2eefb2b1e21c173

SHA512
20c0e1b2813e2349c0a874d3f63c9447ea8003d477c082631f48217521dd1e1d5c123bab4bd177817e9e6d6ebe90c4220f4595034a307230c962be3a3b919d95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1eb6a05fd501925fc95afa21301c5251

SHA1
8d8c2a8850624d340aad334597d89b5354cf078e

SHA256
253c82d854f94ae103c6dd799da6929d6eb6bd06f756bf112b238e60af72fb95

SHA512
3f9c82640c41ffd0196bfe5bf9696c2f727bbb22e7f6b0ed041315b2bb850f15a6856a5bad81db03d66006b63a72555c7ab7204b8e98150ad34c7b8554eaecb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbe7444269e0977d278029c014aebd60

SHA1
8727b48790da15747eeb8aca37171dcb596b6151

SHA256
41c908525a4b01a873ea1f079579134536315f7e22b37736758c3e9d3a37042b

SHA512
d15c4b0e904208094deddbd50980329204ba6a718514c6b9321f5df0295aa7a103edcb35379c011aa2e295d5c52694849e7487b7b9a4a858f9e799fd65232128

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
631e325b1ec42ccee023c1c52c953118

SHA1
fd8b1d7ddbe321cc199855e5160f878687629b3d

SHA256
ec4c02a010fc98d11ce4eac9c9cc77cb45472bbc924eae11ad0a7b3e76b916a4

SHA512
18f88f1f15f00a301aeec72c1eaf9a3364fe19b9a6f865091d77ff30a88dc17e7b6bb5fa8ede2f7536224dbf912e68ed00428e925394c903e2fe2fd25227d029

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
189607d763e716fe7e6fa7f09f4cc0a8

SHA1
4866efbdf32c09892847d56dc2f19cb0e46b83fb

SHA256
94ea3dce614e0165124199161b5af27014ac010103d47a49885deb8c20c1fdd8

SHA512
c2e7e6e4c2af83f8d36412211265890328a583b560e0495dd8dc5ee2a54bcb25b3ce245da8f1da8fba5952943f3b3b1dce3d0e02a8432d4697366d80ccd33f92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1aebbc34a29832a1885fd49eb6b65273

SHA1
9286ae03e0943534e8c7a6bbc1b2bd3ccc2fe3d8

SHA256
6398beb0a1b2ec21fc2dfd02fda27ff18349e2ff86cfe4cec6e817234f3c1376

SHA512
8beb8dab8aaa4c808b4321ebc186eb74a2c2ac3e07569dc5092f6070c078c003bb0917d1b2ea08086177bcf95e2b80a7bd5325dd321f2595637e1b81387cd148

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3fd53fc8675c0cd556eb1f2209108f65

SHA1
9a361bdf9921e00b2eec644f0751d331257e574a

SHA256
5c130200105f04039093f8629b4c78ef329d1ba1eb5dc58cc7c91bc9834b0c7e

SHA512
4daee5b7b1728da3f50325d3744b7a4ac30dddb00503756cd9351f09027e0857bebb7fa8b5e570dd36f211137f2d722c60c55966677a3e6846ad25db04267956

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Oj9OucH8K.bat

Filesize
219B

MD5
534cbdf7d38a783687bd7cd586a05959

SHA1
daa8f3bc24e22e3594087edc7d09ae01f347fe56

SHA256
6ad2b8425dea9888d5ee8c76361c3a90af0f10b24359163cb58b1979ea06abbf

SHA512
1372dca137c8cb692d9831d867871fc3f60d4c9ca0f4c4d7a715311a6a018966e703ae4ff3b839c7b34712c04b7413516a482253b6383eeefbb341cdb7ef74d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat

Filesize
219B

MD5
bbf72336bf940b9bc61b0bda7021ec52

SHA1
9fc9907650e69ab66e5ab33451cc30d42bcc8e6c

SHA256
b56c9cde51e77f65b4698bf2d0fe9ecdf6fa429eb3ebfb69223457efacc66d17

SHA512
23255da6a5a93b9f276e8bd84f7662213c150e3d93a0abbe58e817d43161b03f0c35f2f36eeb71deb861e081e5abecc9b55e740fb4adb2dd510f008ae2d6c99b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAA74.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMZ9wE5u0I.bat

Filesize
219B

MD5
9c3a7f1f8dfc5bccdf2640a65fa207be

SHA1
3ee5cdf049c81db2af7964f2e63e7de66fe2bd24

SHA256
7ab8914fa4ba835a598cb160770fa372537fe8cdcd17f60c1ca82a8b80285c6b

SHA512
5dea41a6977dcaa524b9faa7152dd2cfa2f9e16c715720cd78db0b648ffe67418795beee0b3a352f406be5eea57e37e14c36fc4ceb3c205d0ab276f0abf27737

Download Submit
C:\Users\Admin\AppData\Local\Temp\KVYyjDtEXm.bat

Filesize
219B

MD5
891bf2ae7194ba05e4e694d9f215da1f

SHA1
e391978f68c06d478e9a6cd862d40f12dd454b1e

SHA256
c3213cf38426e5304b9c9f277849bfe54b98a401804ade4c9cc56c18f2627139

SHA512
e88cbb288c1178256fa0c76605743f32c0515f378281acc4b27818d38dcc50b8b644608163a8ae7f49285e4db403fd807856a69418d2a6c5fc1bc6793cf659ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAA87.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat

Filesize
219B

MD5
ac0f34ac298e0b7c22ff717fd05180d7

SHA1
5613570139940895526095d1c581353ad3f8b183

SHA256
a62ebf800879b254843a44471042e85467e45d9bb688d6ac64360f2ce55b84f5

SHA512
989fa0cbb2bd23e9c45018f4567fbcd59c3cfdbe54dce154ba8c16d45a96ec1c2be8ab676d4e42c176ddbde375287c71f4de4f7a44a8e2a7b41f0f75a2efea7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat

Filesize
219B

MD5
ad511f3baf1a6b043e8540bb2122d5ae

SHA1
d8cd665b1ca675b62530addfa530b917edfc4869

SHA256
e8fa82af6ee1dea74324c22ad6af73c3049fc1f737b8e8128b433aece78dcba4

SHA512
1a72091f7078dcb4634942d8b3ba934af8f5d53d77616203663c42e7259bb8e2466b44e93cdeff695f0cdc0b30de50d186e23d47b4ba0858c7f33c2d74a63e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat

Filesize
219B

MD5
e7a2913f779d4b1ab319a57038f878e6

SHA1
074b2b968b64bf81c2d786559d0e00e87901e177

SHA256
621fd6a374c04fd19a0b799d51c736f50a3d263ba899a098ed90458eb7a5bb47

SHA512
ac98329c541110c48e1bedbd5009eba5a007a3e18161cce235f87d94fd3a927bd531960de31e1d5161bd9c36a55ff2c9d3177f2d79f5786de9894928fd74ccfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat

Filesize
219B

MD5
6669f2d30cd6a9cca45a93b1019fa8dd

SHA1
f7c701fb75b4f1e27f606e69579de61a81e9bf8b

SHA256
b7b9ce051f14f9d50b503d0e9cc2182eff9df5214e32a2f330b611298b0be134

SHA512
f490a802c867740c6ce2628790bff07f18087697f19d89a2dad658734a294555b1ce38c7831cdf0983efc369c55c04dc9167bd144a2ae88158ab34f34a4063de

Download Submit
C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat

Filesize
219B

MD5
3cd41bfbeaae275d31253a451270eeed

SHA1
73cfc8d904b1f0a2658a7273459c275356bf1aad

SHA256
5f86766e6e01f939f263d9a72216c17030fc3cd4e256bc6ab917b19d8d44bc5c

SHA512
cda10108a6accac2afe4765abe4eca912ec99cc9de69b116a3b2c1ab2b11ba17b223fc339ce9f5854ca1a1254fc29e448d72678acea90344d84705da4029b57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat

Filesize
219B

MD5
75a1e80f570794b37b41c531f6ad7b7d

SHA1
6af64f3dd202ea8a0f7ba04a3089f3e33bcfc738

SHA256
161fc5d669e708f30c7f34d2705c76728d88834df3065bbc3b976771cfd725dc

SHA512
f1f826310ea27269067064e502ab03dd33639d70a8dc42d352598b8ff683b87f90b077f033fd0fcf7cb7dbceca60541150f8480aec3a6c6893206c8915f861a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat

Filesize
219B

MD5
0607937429ce0fa53de15a9b4f3f75bd

SHA1
95a444d036b9e89a74b8f5808ec6b6253555e510

SHA256
ead9e60aaa52f76e49b7730a593f6cc5bad594cb431e60fd0f1a6d9f8f83b0ed

SHA512
035fdff2909304cbadb690c581ea54dbcdf4462c8888593a796b527432de303ceead8bb2d01f8b9e5231eb5895315bb13684084fa89422e25590e25f9f232a10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c7b86bac2047e20108bc0bf202530328

SHA1
d4a4c0533cec0a63b1aa0664e68b552eabc0802f

SHA256
efcc6f7b1ddf419a9ac89e274318aeab9461e48f22c4a2e81519615f9e1aaf8a

SHA512
cb6fae9a9289640e31cf231e2ea89312093fe133f8de2bccbeb3ecbea8d2366f68cd9d108e30f38a2a58ceb370cc82f5a129cd41b979acd3425dd1792aab8059

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1036-568-0x0000000000210000-0x0000000000320000-memory.dmp

Filesize
1.1MB

Download
memory/1632-209-0x0000000000DF0000-0x0000000000F00000-memory.dmp

Filesize
1.1MB

Download
memory/1920-748-0x0000000000280000-0x0000000000390000-memory.dmp

Filesize
1.1MB

Download
memory/1968-329-0x00000000000A0000-0x00000000001B0000-memory.dmp

Filesize
1.1MB

Download
memory/2092-269-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/2228-628-0x0000000000D50000-0x0000000000E60000-memory.dmp

Filesize
1.1MB

Download
memory/2252-449-0x0000000001390000-0x00000000014A0000-memory.dmp

Filesize
1.1MB

Download
memory/2584-14-0x0000000000640000-0x0000000000652000-memory.dmp

Filesize
72KB

Download
memory/2584-13-0x0000000000E10000-0x0000000000F20000-memory.dmp

Filesize
1.1MB

Download
memory/2584-15-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/2584-16-0x0000000000650000-0x000000000065C000-memory.dmp

Filesize
48KB

Download
memory/2584-17-0x0000000000880000-0x000000000088C000-memory.dmp

Filesize
48KB

Download
memory/2612-389-0x0000000000800000-0x0000000000910000-memory.dmp

Filesize
1.1MB

Download
memory/2764-150-0x00000000008C0000-0x00000000009D0000-memory.dmp

Filesize
1.1MB

Download
memory/2776-688-0x00000000010B0000-0x00000000011C0000-memory.dmp

Filesize
1.1MB

Download
memory/2792-77-0x000000001B500000-0x000000001B7E2000-memory.dmp

Filesize
2.9MB

Download
memory/2792-86-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download